spam (policyd-weight + excommunicado)

1. See http://github.com/palepurple/policyd-weight – I’m trying to make some changes to policyd-weight (something I’ve been using for ages) to make it more configurable and add in a GeoIP patch which I’ve seen floating around.

2. See https://twitter.com/excommunicado and http://blog.hinterlands.org/2013/11/an-update-on-communicado/ – for a DNS Blacklist you might want to use –  using excommunicado.co.uk as a RHSBL has stopped about 700 spammy emails for me already 🙂

3. See https://github.com/palepurple/policyd-dnsbl-spf-geoip – which should improve on policyd-weight which gave me problems with it’s helo checking etc. It’s easier to configure and hopefully far easier to read the sourcecode  (still perl though ! ).

Wanted: Developer with interesting skills…. oh, and it’s for the minimum wage… (Is this a joke?)

Recently on the Twitter the following (attached) image came up – presumably legit, of a job advert. Highlights below. It’s almost like someone cut and pasted two job postings together. The phone number does appear to be legit … so perhaps the advert itself is?

Continue reading “Wanted: Developer with interesting skills…. oh, and it’s for the minimum wage… (Is this a joke?)”

Weird Akismet behaviour with WordPress (incorrect spam identification)

One of my customers uses Akismet to protect his various blogs from the masses of spam.

Oddly torwards the end of last week, Akismet started to identify everything as spam, with no error message being returned on check of spam, and the admin dashboard showing the api key/akismet were happy.

I initially thought that perhaps Akismet was just having a bad day, and the problem would go away in a few hours/days time – but this hasn’t been the case. So today, I added in a WordPress plugin to debug the HTTP calls to Akismet to see if that would help identify the problem.

 

add_action( 'http_api_debug', '_custom_http_api_debug', 10, 5 );

function _custom_http_api_debug( $response, $type, $class, $args, $url ) {    
    error_log( 'Request URL: ' . var_export( $url, true ) );
    error_log( 'Request Args: ' . var_export( $args, true ) );
    error_log( 'Request Response : ' . var_export( $response, true ) );
}

 

i.e. for a message which was known to be spam :

However, what gave me an idea that something was amiss is that if an administrator attempted to mark an incorrectly tagged comment as ham, the following was seen –

  • Post to http://xxxxx.rest.akismet.com/1.1/submit-ham
  • Response body of ‘Invalid Key’
Normally when submitting ham to the above URL you’d see a response like :
However wordpress was not displaying an error message to the administrator.
Changing the Akismet API keys involved on the sites appeared to fix the problem(s).

 

Stupid NFS (Debian Squeeze / Ubuntu Precise)

NFS really can be a major PITA. Our office network has been breaking all day.

This seemed to coincide with moving more of our computers to gigabit ethernet (removing the 100mbit CISCO 7960 phones which their network had been daisy-chained through – and seemed to cause intermittent packet loss)

Here are some tips for others unfortunate enough to use it with Debian Squeeze or Ubuntu Precise (12.04 LTS).

  1. On Ubuntu NFS clients, you’ll probably want to use proto=tcp and specify a clientaddr=in the mount options (see the below fstab example). This is especially true if you’ve not got entries for the clients within your local DNS server. If you see ‘clientaddr=0.0.0.0’ and DNS resolution for your clients isn’t working, NFS will not work.
  2. Don’t try using the nfs-kernel-server from squeeze-backports – as for some reason this causes portmap to be uninstalled, which (in my case) stops NIS from working.
  3. Ensure you increase the number of NFS server processes – see /etc/default/nfs-kernel-server (on the server node).
orange:/home /home nfs4 defaults,noatime,proto=tcp,clientaddr=172.30.33.250 0 0

SpamAssassin ruleset to try and catch India based web development spam

At work we keep receiving emails from sales-droids in India who are trying to persuade us to outsource PHP/Android/Java/whatever development to them.

Here’s my first attempt at a spamassassin rule to neutralise it – in my case, copy into a something.cf file in /etc/spamassassin/mail, and running over a suitably loaded email results in :

Content preview:  Dear Sir / Madam, I just wanted to check if you had received
   my last mails sent. Haven't heard back from you, just wondering are you interested
   in our services? Let me know if you are interested then we can discuss this
   further. [...] 

Content analysis details:   (6.9 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
-1.0 ALL_TRUSTED            Passed through trusted hosts only via SMTP
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider
                            (globalseolinksourcing[at]gmail.com)
 0.0 DKIM_ADSP_CUSTOM_MED   No valid author signature, adsp_override is
                            CUSTOM_MED
 1.7 DEAR_SOMETHING         BODY: Contains 'Dear (something)'
 0.0 HTML_MESSAGE           BODY: HTML included in message
 5.0 LOCAL_INDIA_HITS       Web dev spam from India
 1.2 NML_ADSP_CUSTOM_MED    ADSP custom_med hit, and not from a mailing list

The spamassassin rule

(The intention is that the rule only fires if the email mentions India and at least 4 out of the other phrases (delhi, marketing, php etc)

# india based spam

body  __INDIA_01 /india/i
body  __INDIA_02 /delhi/i
body  __INDIA_03 /web services/i
body  __INDIA_04 /php/i
body  __INDIA_05 /java/i
body  __INDIA_06 /marketing/i
body  __INDIA_07 /website design/i
body  __INDIA_08 /dear sir/i

meta LOCAL_INDIA_HITS ( __INDIA_01  && ((  __INDIA_02 + __INDIA_03 + __INDIA_04 + __INDIA_05 + __INDIA_06 + __INDIA_07 + __INDIA_08 )) > 4)
describe LOCAL_INDIA_HITS Web dev spam from India
score LOCAL_INDIA_HITS 5.0

rsyslog selective logging with multiple postfix instances

Scenario – one Linux box runs multiple Postfix instances. By default they all log to /var/log/mail.log which makes it difficult to see what’s going on without using grep and so on. The server already uses rsyslog, and Postfix is configured to specify a syslog_name to each instance.

i.e /etc/postfix-blah/main.cf contains “syslog_name = postfix-blah

rsyslog allows you to specify filters / expressions on what is logged where. This can be done on either the program name (:programname) which corresponds to postfix’s syslog_name, or the contents of the log message (:msg) itself.

So, the easy solution is :

  • Edit /etc/rsyslog.d/postfix-domains.conf and add in
  • :programname, contains, "postfix-blah" -/var/log/mail-blah.log
  • Restart rsyslog (/etc/init.d/rsyslogd restart).
  • Watch Ubuntu moan about not using the ‘service’ command.

The leading : is important in the rsyslog rule. 

And obviously the ‘-‘ before the file path is useful for performance – so a sync isn’t called after each write.

So, it’s just a case of populating your /etc/rsyslog.d/postfix-domains.conf file with multiple lines looking like the above, but obviously different for each domain.

SSL Commands

I keep forgetting these one line OpenSSL commands – perhaps if they are here, I’ll remember —

  1. Create private key file : openssl genrsa -out server.key 2048
  2. Create certificate signing request (to send to e.g. GoDaddy) – openssl req -new -key server.key -out server.csr 
  3. Verify a certificate – openssl verify file.name
  4. To convert a .crt (base64 encoded) and .key file into a .pem file – just cat them together – cat something.crt something.key > something.pem